Skip to content

Instantly share code, notes, and snippets.

@nielsvanderbeke

nielsvanderbeke/Apache_Hardening.md

Created February 26, 2014 08:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nielsvanderbeke/9225641 to your computer and use it in GitHub Desktop.
Save nielsvanderbeke/9225641 to your computer and use it in GitHub Desktop.
Download ZIP
Security by obscurity APACHE
Raw
Apache_Hardening.md

Problem

HTML comments can expose information about the system where the webpages run.

Solution 1

ExtFilterDefine strip_comments remove_comments mode=output \
	intype=text/html cmd="/bin/sed s/\<\!--.*--\>//g"
<LocationMatch /cgi-bin/wm*>
	SetOutputFilter remove_comments
</LocationMatch>

That works as an immediate firefighting exercise, but beyond that it's a terrible solution to the problem:

  • It's a huge performance hit. By the end of the chapter, he's applied three such filters. If you apply that to static documents, it could eat up more than 99% of the total memory and CPU used by Apache per request. That'll be further amplified by its adverse effect on caching.
  • He's overlooked regexp greediness. That will cause his regexp to eat up more than is intended.
  • Using line-oriented patterns means that information split over multiple lines will be missed, so the solution doesn't usefully generalise.

Solution 2

Fortunately there are better solutions available:

  • mod_line_edit, mod_substitute or mod_sed can be used as an exact equivalent to mod_ext_filter+sed, but at a tiny fraction of the performance overhead. It can also be configured to generalise better.
  • For HTML pages, markup-aware filters can do the job more intelligently, again at a much-reduced overhead compared to mod_ext_filter.

In fairness to Barnett, things have changed since he wrote his book. mod_line_edit was published in December 2005, just three months before Barnett's book, while the other modules came later. Several markup-aware modules that'll do the job are older (going back to 2003), but none of them was intended nor advertised as a security aid.

So, let's look at how we can improve on Barnett's solution to information disclosure. First, we just replace Barnett's solution with mod_line_edit:

SetEnv LineEdit "text/html"
LERewriteRule <!--.*-->	""
<LocationMatch /cgi-bin/wm*>
	SetOutputFilter line-editor
</LocationMatch>

Right. That helps with performance. To implement Barnett's other fixes, we introduce two more LERewriteRules, which mod_line_edit applies in a single, efficient parse. We've eliminated three external program calls (in effect, three times the "CGI Overhead"), and reduced the number of times we parse the document from three to one.

Fixing the regexp is easy: for example, works. That leaves us with multi-line comments to deal with. mod_line_edit can do that too: with

LELineEnd NONE

it will slurp the whole document into memory before parsing (a significant performance overhead for large responses, but vastly better than an ext_filter). Or, with

LELineEnd CUSTOM >

it will treat > as "line end", so that comments will be parsed whole (provided no literal > appears within a comment).

Source

http://www.apachetutor.org/security/information-leak

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment